Mbed TLS 2.7.0, 2.1.10 and 1.3.22 released

Mbed TLS 2.7.0, 2.1.10 and 1.3.22 released

Description

Mbed TLS version 2.7.0 has been released, in addition to maintenance releases of Mbed TLS 2.1 and Mbed TLS 1.3.

Mbed TLS 2.7.0 introduces the ability to provide cryptographic hardware acceleration for many more of the library's functions, as well as addressing several security issues and resolving many defects. Mbed TLS 2.1.10 and 1.3.22 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.

These releases also address multiple security issues, including two significant security issues which have been assigned the CVE codes, CVE-2018-0487 and CVE-2018-0488 and for which security advisories are being provided.

End of life for Mbed TLS 1.3

Mbed TLS 1.3.0 was first shipped on 1st October 2013, and has now reached the end of its life. All users of Mbed TLS 1.3 are advised to upgrade to a later version of Mbed TLS wherever possible and should be aware that no further maintenance releases of Mbed TLS 1.3 are planned.

Security

(2.7, 2.1, 1.3) Fixed a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. CVE-2018-0488

(2.7, 2.1, 1.3) Fixed a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. Found by Seth Terashima, Qualcomm Product Security Initiative, Qualcomm Technologies Inc. CVE-2018-0487

(2.7, 2.1, 1.3) Fixed a buffer overflow in RSA-PSS verification when the unmasked data was all zeros.

(2.7, 2.1, 1.3) Fixed an unsafe bounds check in ssl_parse_client_psk_identity() when adding 64kb to the address of the SSL buffer and causing a wrap around.

(2.7, 2.1) Fixed a potential heap buffer overflow in mbedtls_ssl_write() when the maximum fragment length extension was disabled and application data passed to the function mbedtls_ssl_write() was larger than the internal message buffer.

The exploitability of this issue depends on whether the application layer can be forced into sending such large packets. The issue was independently reported by Tim Nordell via e-mail and by Florin Petriuc and sjorsdewit. Fix proposed by Florin Petriuc in #1022. Fixes #707.

(2.7, 2.1, 1.3) Added a provision to prevent compiler optimizations breaking the time constancy of mbedtls_ssl_safer_memcmp().

(2.7, 2.1, 1.3) Added a provision to ensure that more buffers are cleared after use if they contain sensitive data. Changes were introduced in multiple places in the library.

(2.7, 2.1, 1.3) Added a provision to set the PEM buffer to zero before freeing it, to avoid decoded private keys being leaked to memory after release.

(2.7, 2.1, 1.3) Made mbedtls_mpi_read_binary() constant-time with respect to the input data. Previously, trailing zero bytes were detected and omitted for the sake of saving memory, but potentially led to slight timing differences. Reported by Marco Macchetti, Kudelski Group.

(2.7, 2.1, 1.3) Fixed a potential heap buffer over-read in the ALPN extension parsing (server-side). This could result in an application crash, but only if an ALPN name larger than 16 bytes had been configured on the server.

(2.7, 2.1, 1.3) Changed the default choice of DHE parameters from the ones in RFC 5114 to the ones in RFC 3526, which were transparently generated.

Features

(2.7) Added support for alternative implementations of the CCM and CMAC modules to enable cryptographic hardware acceleration of them. Submitted by Steven Cooreman, Silicon Labs.

(2.7) Added support for alternative implementations of the GCM module, enabled by the configuration flag MBEDTLS_GCM_ALT, to enable cryptographic hardware acceleration of them.

(2.7) Added support for alternative implementations of the ECDSA module, controlled by the configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSA_GENKEY_ALT in config.h.

The following functions from the ECDSA module can be replaced with alternative implementations:
mbedtls_ecdsa_sign()
mbedtls_ecdsa_verify()
mbedtls_ecdsa_genkey()

(2.7) Added support for alternative implementations of ECDH, controlled by the configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.

The following functions from the ECDH module can be replaced with an alternative implementation:

mbedtls_ecdh_gen_public()mbedtls_ecdh_compute_shared()

(2.7) Added support for alternative implementations of ECJPAKE, controlled by the configuration flag MBEDTLS_ECJPAKE_ALT.

(2.7) Added support for alternative implementations of the DHM module.

(2.7, 2.1) The selftest program can now execute a subset of the available tests controlled by command line arguments.

(2.7, 2.1) Added new unit tests for timing, to improve the self-test to be more robust when executed on a heavily loaded machine.

(2.7, 2.1, 1.3) Comments can now be added to the test data files used by the test suites.

API Changes

Mbed TLS 2.7.0 maintains source code compatibility with previous versions of Mbed TLS but there are some changes which make the ABI incompatible with the previous version, Mbed TLS 2.6.0.

(2.7) Extended the RSA interface with multiple functions to allow structure-independent setup and export of the RSA contexts. Notably, mbedtls_rsa_import() and mbedtls_rsa_complete() have been introduced for setting up RSA contexts from partial key material and having them completed to the needs of the implementation automatically. This allows setup of private RSA contexts from keys consisting of N,D,E only, even if P,Q are needed for the purpose or CRT and/or blinding.

(2.7) The configuration option MBEDTLS_RSA_ALT can be used to define alternative implementations of the RSA interface declared in rsa.h to enable cryptographic accelerators.

(2.7) The following functions in the message digest modules (MD2, MD4, MD5, SHA1, SHA256, SHA512) have been deprecated and replaced as follows:

The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT.

mbedtls_<MODULE>_starts() is replaced by mbedtls_<MODULE>_starts_ret()mbedtls_<MODULE>_update() is replaced by mbedtls_<MODULE>_update_ret()mbedtls_<MODULE>_finish() is replaced by mbedtls_<MODULE>_finish_ret()mbedtls_<MODULE>_process() is replaced by mbedtls_internal_<MODULE>_process()

New deprecations

(2.7) Use of RSA primitives with non-matching key-type have been deprecated (e.g. signing with a public key).

(2.7) Direct manipulation of structure fields of the RSA contexts has been deprecated. Users are advised to use the extended RSA API instead.

(2.7) Message digest functions that return void have been deprecated, and we now recommend use of their equivalent functions that return an error code. This includes mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update, mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> can be any of md2, md4, md5, sha1, sha256, sha512.

(2.7) Use of the DHE parameters from RFC 5114 have been deprecated, and superseded by parameters from RFC 3526 or the newly added parameters from RFC 7919.

(2.7) The function mbedtls_ssl_conf_dh_param() for setting the default DHE parameters from hex strings has been deprecated and superseded by the function mbedtls_ssl_conf_dh_param_bin() which accepts the DHM parameters in binary form, matching the constants from the new standards.

Bugfix

(2.7, 2.1, 1.3) Fixed a memory leak in mbedtls_ssl_set_hostname() when called multiple times. Found by projectgus and jethrogb. #836.

(2.7, 2.1, 1.3) Fixed the usage help text in the programs/ssl/ssl_server2 example. Found and fixed by Bei Lin.

(1.3) Fixed an issue with implicit cast compilation warnings with Microsoft Visual Studio in the net.c and x509.c modules and some sample applications.

(2.7, 2.1, 1.3) Fixed an issue with parsing the signature algorithm extension when renegotiating. Previously, renegotiated handshakes would only accept signatures using SHA-1 regardless of the peer's preferences or would alternatively always fail if SHA-1 was disabled.

(2.7, 2.1, 1.3) Fixed the leap year calculation in x509_date_is_valid() to ensure that invalid dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694

(2.7, 2.1, 1.3) Fixed some invalid RSA-PSS signatures with keys of size 8N+1 that were accepted. Generating these signatures required the private key.

(1.3) Added support for building the test suites on Windows. Contributed by Nicholas Wilson.

(2.7) Fixed compilation warnings regarding the use of a variable before assignment with the IAR Compiler. Found by gkerrien38.

(2.7, 2.1, 1.3) Fixed unchecked return codes from AES, DES and 3DES functions in pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively. If a call to one of the functions of the cryptographic primitive modules failed, the error may not be noticed by the function mbedtls_pem_read_buffer() causing it to return invalid values. Found by Guido Vranken. #756

(2.7, 2.1, 1.3) Corrected extraction of the signature type from the PK instance in X.509 CRT and CSR writing routines that prevented these functions to work with alternative RSA implementations. Raised by J.B. in the Mbed TLS forum. #1011

(2.7, 2.1, 1.3) No longer prints the X.509 version tag for v1 certificates, and omits extensions for certificates which are not v3.

(2.7, 2.1, 1.3) Fixed use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.

(2.7) Fixed potential memory leaks in mbedtls_gcm_self_test().

(2.7) Added missing return code checks in mbedtls_aes_self_test().

(2.7, 2.1, 1.3) Fixed issues in the RSA key generation program programs/x509/rsa_genkey and the RSA test suite where the failure of CTR DRBG initialization led to freeing an RSA context and several MPI's without proper initialization beforehand.

(2.7) Fixed an error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.

(2.7) Fixed the example programs/pkey/dh_server.c to ensure it works fully with dh_client.c. Found and fixed by Martijn de Milliano.

(2.7, 2.1, 1.3) Fixed an issue in the cipher decryption with the mode MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding. Note, this padding mode is not used by the TLS protocol. Found and fixed by Micha Kraus.

(2.7) Fixed the entropy.c module to not call mbedtls_sha256_starts() or mbedtls_sha512_starts() during mbedtls_entropy_init() function.

(2.7) Fixed the entropy.c module to ensure that mbedtls_sha256_init() or mbedtls_sha512_init() is called before operating on the relevant context structure. Do not assume that zeroizing a context is a correct way to reset it. Found independently by ccli8.

(1.3) Fix typo in ssl.h leading to a too small value of MBEDTLS_SSL_MAC_ADD in case CBC is disabled but ARC4 is enabled.

Changes

(2.7, 2.1, 1.3) Extended the cert_write example program by options to set the certificate version and the message digest, and further, to allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions.

(2.7) Only check for necessary RSA structure fields in mbedtls_rsa_private. In particular, don't require P or Q if neither CRT nor blinding are used. Reported and fix proposed independently by satur9nine and sliai.

(2.7) Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module.

(2.7) Updated all internal usage of deprecated message digest functions to the new ones with return codes. In particular, this modifies the mbedtls_md_info_t structure. Propagate errors from these functions everywhere except some locations in the ssl_tls.c module.